New Backdoor Attacks Leverage Political Turmoil in Middle East
Two apparently politically motivated backdoor campaigns have been observed operating in the Middle East, targeting influential Palestinians. The aggressors are most likely the MoleRATs APT (aka The Gaza Cybergang, Extreme Jackal, Moonlight, and DustySky). MoleRATs operates out of Gaza and is believed to be associated with Hamas.
The two campaigns are primarily differentiated by the backdoor malware used: Spark and Pierogi — and have been named as the Spark Campaign and the Pierogi Campaign respectively by researchers at Cybereason’s Nocturnus group. Spark is the older of the two malwares, and has been known since January 2019. Nocturnus believes it was developed by MoleRATs themselves. Pierogi is a new undocumented RAT, discovered by Cybereason in December 2019.
Pierogi is thought to have been developed by Ukrainians rather than MoleRATs themselves. There are numerous Ukrainian words within the code, including, for example, C2 commands. These include ‘ekspertyza’ (‘examine’, for requesting commands from the C2), ‘zavantazhyty’ (‘download’, for exfiltration), and ‘vydaly’ (‘delete’, for deleting certain requests). The Ukrainian connection is the reason for the Pierogi (a popular East European dish) name.
Both campaigns use email social engineering as the initial attack vector. Spark delivers a weaponized document or a malicious link. The lure is political, including themes based on the Hamas/Fatah conflict, the Israel/Palestine conflict, tensions based on the killing of Qasem Soleimani, and tensions between Hamas and the Egyptian government.
In this campaign, the lures lead to one of two file sharing websites: Egnyte or Dropbox. The target is encouraged to download an archive file containing an executable file masquerading as a Word document. In one example, the lure is a PDF file purporting to be a special report allegedly quoted from the Egyptian newspaper Al-Ahram. The target is encouraged to click a link to access the entire article. The link connects to Egnyte, which contains a file purporting to be the full article. The file has the same name as the PDF file, but is really a Windows executable file with a fake Word icon. If the document is double clicked, the executable unpacks and installs the Spark backdoor in background, while a decoy document is displayed to the user.
Also included is a compiled Autoit script. It drops two copies of Spark in different locations, and creates a scheduled task for persistence. Spark can collect, encrypt and exfiltrate information about the machine. It can download additional payloads and can execute commands. It maintains low visibility by being packed by the Enigma packer, checking for certain anti-virus and other security products using WMI queries, and validating an Arabic keyboard with Arabic language settings on the infected machine. If any of the anti-virus products are detected, or the keyboard is not Arabic, the payload does not execute.
The Spark Campaign, concludes Cybereason, suggests the social engineering element is “specifically meant to lure and appeal to victims from the Middle East, especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement.”
The second campaign, Pierogi, is slightly different but also tied to MoleRATs. It is similarly targeted against Palestinian individuals and entities that are likely related to the Palestinian government. The lure is also primarily political, centering on the various political tensions between Hamas and other regional entities. In some cases, the target is encouraged to open an email attachment; in others to download a political report. The downloaded file is usually an executable masquerading as a Word document, or a weaponized Word document.
If the malicious document is opened, Pierogi is dropped. During this process, to allay suspicion, the victim is presented with a visible document that could contain genuine information — or pure fake news promoting a political agenda. Where an attached weaponized Word document is used, a simple and unobfuscated macro downloads a Base64 encoded payload, decodes it, and runs the Pierogi executable.
Pierogi’s functionality is similar to that of Spark. It collects information about the machine, can take screenshots and upload them to the C2 server, and it can download additional payloads and execute arbitrary commands. It creates persistence through a classic startup item autorun technique. A shortcut is added to the startup folder, which points to the file binary location in the C:ProgramData folder. A GUID generated by the malware is stored in the same folder as GUID.bin.
The infrastructure for the Pierogi campaign seems to have been created specifically for the campaign. The domains were registered in November 2019 and operationalized shortly afterward. “The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims.” Cybereason suggests it may have been obtained through underground communities rather than developed in-house by MoleRATs.